From f1765399380dd5320f40f24bea74254715bb3b7c Mon Sep 17 00:00:00 2001
From: Chris R <Tratcher@outlook.com>
Date: Thu, 7 Jul 2022 14:42:05 -0700
Subject: [PATCH 1/4] Log a warning when using an untrusted developer
 certificate #41990

---
 .../CertificateGeneration/WindowsCertificateManager.cs    | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/Shared/CertificateGeneration/WindowsCertificateManager.cs b/src/Shared/CertificateGeneration/WindowsCertificateManager.cs
index 2692ef95886e..b9548df29dce 100644
--- a/src/Shared/CertificateGeneration/WindowsCertificateManager.cs
+++ b/src/Shared/CertificateGeneration/WindowsCertificateManager.cs
@@ -41,8 +41,12 @@ protected override bool IsExportable(X509Certificate2 c)
 
     internal override CheckCertificateStateResult CheckCertificateState(X509Certificate2 candidate, bool interactive)
     {
-        // Return true as we don't perform any check.
-        return new CheckCertificateStateResult(true, null);
+        if (IsTrusted(candidate))
+        {
+            return new CheckCertificateStateResult(true, null);
+        }
+
+        return new CheckCertificateStateResult(false, "The ASP.NET Core developer certificate is not trusted.");
     }
 
     internal override void CorrectCertificateState(X509Certificate2 candidate)

From cd75fc41c901da87019c16b646d4f0ceefafaf3c Mon Sep 17 00:00:00 2001
From: Chris R <Tratcher@outlook.com>
Date: Tue, 19 Jul 2022 15:35:32 -0700
Subject: [PATCH 2/4] Check elsewhere

---
 src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs  | 3 +++
 src/Servers/Kestrel/Core/src/KestrelServerOptions.cs       | 5 +++++
 .../CertificateGeneration/WindowsCertificateManager.cs     | 7 +------
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs b/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs
index 8266eb8c334e..1dd02d749316 100644
--- a/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs
+++ b/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs
@@ -37,4 +37,7 @@ internal static partial class LoggerExtensions
 
     [LoggerMessage(7, LogLevel.Error, "The certificate key file at '{CertificateKeyFilePath}' can not be found, contains malformed data or does not contain a PEM encoded key in PKCS8 format.", EventName = "MissingOrInvalidCertificateKeyFile")]
     public static partial void FailedToLoadCertificateKey(this ILogger<KestrelServer> logger, string certificateKeyFilePath);
+
+    [LoggerMessage(8, LogLevel.Warning, "The ASP.NET Core developer certificate is not trusted.", EventName = "DeveloperCertificateNotTrusted")]
+    public static partial void DeveloperCertificateNotTrusted(this ILogger<KestrelServer> logger);
 }
diff --git a/src/Servers/Kestrel/Core/src/KestrelServerOptions.cs b/src/Servers/Kestrel/Core/src/KestrelServerOptions.cs
index 4575b3e77c2f..84e274202575 100644
--- a/src/Servers/Kestrel/Core/src/KestrelServerOptions.cs
+++ b/src/Servers/Kestrel/Core/src/KestrelServerOptions.cs
@@ -295,6 +295,11 @@ private void EnsureDefaultCert()
                     }
 
                     logger.LocatedDevelopmentCertificate(DefaultCertificate);
+
+                    if (!CertificateManager.Instance.IsTrusted(DefaultCertificate))
+                    {
+                        logger.DeveloperCertificateNotTrusted();
+                    }
                 }
                 else
                 {
diff --git a/src/Shared/CertificateGeneration/WindowsCertificateManager.cs b/src/Shared/CertificateGeneration/WindowsCertificateManager.cs
index b9548df29dce..69f57066438b 100644
--- a/src/Shared/CertificateGeneration/WindowsCertificateManager.cs
+++ b/src/Shared/CertificateGeneration/WindowsCertificateManager.cs
@@ -41,12 +41,7 @@ protected override bool IsExportable(X509Certificate2 c)
 
     internal override CheckCertificateStateResult CheckCertificateState(X509Certificate2 candidate, bool interactive)
     {
-        if (IsTrusted(candidate))
-        {
-            return new CheckCertificateStateResult(true, null);
-        }
-
-        return new CheckCertificateStateResult(false, "The ASP.NET Core developer certificate is not trusted.");
+        return new CheckCertificateStateResult(true, null);
     }
 
     internal override void CorrectCertificateState(X509Certificate2 candidate)

From 7f24f5fbaec1aebebd4577b71b26dad24ce9519a Mon Sep 17 00:00:00 2001
From: Chris R <Tratcher@outlook.com>
Date: Wed, 20 Jul 2022 10:22:23 -0700
Subject: [PATCH 3/4] Add link

---
 src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs b/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs
index 1dd02d749316..91742c46f07e 100644
--- a/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs
+++ b/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs
@@ -38,6 +38,6 @@ internal static partial class LoggerExtensions
     [LoggerMessage(7, LogLevel.Error, "The certificate key file at '{CertificateKeyFilePath}' can not be found, contains malformed data or does not contain a PEM encoded key in PKCS8 format.", EventName = "MissingOrInvalidCertificateKeyFile")]
     public static partial void FailedToLoadCertificateKey(this ILogger<KestrelServer> logger, string certificateKeyFilePath);
 
-    [LoggerMessage(8, LogLevel.Warning, "The ASP.NET Core developer certificate is not trusted.", EventName = "DeveloperCertificateNotTrusted")]
+    [LoggerMessage(8, LogLevel.Warning, "The ASP.NET Core developer certificate is not trusted. See https://aka.ms/aspnet/https-trust-dev-cert.", EventName = "DeveloperCertificateNotTrusted")]
     public static partial void DeveloperCertificateNotTrusted(this ILogger<KestrelServer> logger);
 }

From dd4fcc509f514ecf7d8ae534a5f8f77732ae942a Mon Sep 17 00:00:00 2001
From: Chris Ross <Tratcher@Outlook.com>
Date: Fri, 22 Jul 2022 13:10:42 -0700
Subject: [PATCH 4/4] Update
 src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs

Co-authored-by: James Newton-King <james@newtonking.com>
---
 src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs b/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs
index 91742c46f07e..baa0c085d0a1 100644
--- a/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs
+++ b/src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs
@@ -38,6 +38,6 @@ internal static partial class LoggerExtensions
     [LoggerMessage(7, LogLevel.Error, "The certificate key file at '{CertificateKeyFilePath}' can not be found, contains malformed data or does not contain a PEM encoded key in PKCS8 format.", EventName = "MissingOrInvalidCertificateKeyFile")]
     public static partial void FailedToLoadCertificateKey(this ILogger<KestrelServer> logger, string certificateKeyFilePath);
 
-    [LoggerMessage(8, LogLevel.Warning, "The ASP.NET Core developer certificate is not trusted. See https://aka.ms/aspnet/https-trust-dev-cert.", EventName = "DeveloperCertificateNotTrusted")]
+    [LoggerMessage(8, LogLevel.Warning, "The ASP.NET Core developer certificate is not trusted. For information about trusting the ASP.NET Core developer certificate, see https://aka.ms/aspnet/https-trust-dev-cert.", EventName = "DeveloperCertificateNotTrusted")]
     public static partial void DeveloperCertificateNotTrusted(this ILogger<KestrelServer> logger);
 }